The Biggest Bank Heist in History Is Coming

In February, the Office of the Comptroller of the Currency’s acting head Michael Hsu announced plans for new rules on operational resilience for large banks with critical operations, including third-party service providers. Critically, he did not discuss how these rules will treat the use of permissioned networks by the big banks to tokenize real world assets and liabilities, an omission that neglects critical new vulnerabilities for the global financial system.

As Hsu pointed out, bank call report data show that the top four custodian banks alone now safeguard over $108 trillion in assets. These assets are in the process of being tokenized by the big banks, which is the process of creating digital representations of real world assets and liabilities on blockchain. These banks have been piloting the tokenization of bank deposits and will soon turn to tokenizing U.S. Treasuries and corporate debt.

Regulators acknowledge this tokenization trend. The Fed’s Vice-Chair Michael Barr announced last September the launch of the Fed’s Novel Activities Supervision Program while allowing state-member banks to also explore tokenization if they demonstrate sufficient risk management. In November, Hong Kong’s Securities & Finance Commission issued regulatory guidance on the tokenization of securities, and the OCC held a symposium on tokenization in February.

This mainstreaming of crypto by traditional financial institutions and regulators is exciting. But these banks are mostly tokenizing on permissioned networks, which regulators are encouraging. In December, while announcing plans to revise its bank capital standard for crypto-assets, the Basel Committee on Banking Supervision stated that since permissionless blockchains “create risks that cannot be sufficiently mitigated at present”, the highest bank capital requirements would be retained for crypto-assets held on permissionless blockchains. The Committee probably concluded this because permissionless blockchains are maintained by thousands of validators that are not subject to regulatory authorities, while permissioned networks would be controlled by banks.

In his keynote speech at last month’s OCC symposium on tokenization, Hyun Song Shin, the top economic advisor at the Bank for International Settlements, reiterated the BIS’ vision of bringing all global central banking onto the same platform called the “unified ledger.” Shin argued that tokenization can improve settlement and enable programmability without the need for blockchains.

These remarks do not explain how tokenization would work without blockchains. You can see how a universal ledger would be possible, but it would be a ledger controlled by a single central bank or small group of central banks.

Following on the tails of Shin’s keynote speech, Hsu gave a speech to the Financial Stability Board’s Crypto Working Group. He questioned the need for blockchains in tokenization . “If blockchains are not necessary … one wonders what the future landscape of tokenized real-world assets and liabilities might look like, and what the financial stability profiles of different scenarios might be,” he said. The answer is that the financial stability implications might be huge and dire.

Regulators tend to misunderstand the key feature of blockchain technologies, which is decentralization. A truly decentralized blockchain requires thousands of validators to build and maintain it. This also means that, if one validator is attacked, then the other validators can continue to operate and support the blockchain. This is the ultimate definition of operational resiliency.

Truly decentralized blockchains are very challenging to hack. In fact, the Bitcoin blockchain has never been successfully hacked since its inception in 2009. This is not to say that there aren’t other types of risks with blockchain systems. But, in a time when cybersecurity hacks are so frequent that they’re barely newsworthy, this fact is truly remarkable.

By contrast, most successful crypto hacks usually involve centralized protocols where hackers only need to hack the admin keys of only one or a few actors to gain control and steal digital assets. Similarly, permissioned networks are controlled by only a few parties, so they can be more easily hacked than blockchains maintained by thousands of validators. The concentration of attack vectors in the big banks that control these permissioned networks (or the central banks that control non-blockchain ledgers) is like sticking targets on their backs.

Encouraging the use of permissioned networks over permissionless blockchains will inevitably lead to cybersecurity attacks on a scale previously unknown as the financial system moves to tokenize trillions of dollars’ worth of real world assets and liabilities. The biggest bank heist in history is in the making.